India surrenders to US pressure on ‘data localisation’ : Piyush Goyal & RBI send out confusing signals
The RBI, which last year had mandated foreign e-commerce companies to store payment data in India now says that data on Indians can be processed ‘abroad’ but will have to be ‘stored in India’
On June 25, the day before US Secretary of State landed in New Delhi, Commerce Minister Piyush Goyal met representatives of Walmart and a dozen other e-commerce companies.
The very next day Goyal himself announced that India had dropped its insistence on ‘Data Localisation’. Curiously, on the same day the Reserve Bank of India reiterated what it had laid down last year in April, 2018. “The entire payment data shall be stored in systems located only in India”.
Even more curiously, the RBI statement added, “there was no bar on processing of the data abroad, but the end data should only be stored in India”!
What kind of data protection is this?
During his address at the inaugural of a special session on digital economy in Osaka, US President Donald Trump attacked both China and India. The attack was marked by glaringly absurd contradictions.
While China was attacked for violation of security and intellectual property, especially in the light of Trump’s ban on the Chinese telecom giant Huawei, India was singled out for attack on its condition on data localisation as if India cannot and should not have the same security and intellectual property concerns over the personal data of its citizens.
Immediately after boarding his flight on his way to Osaka, Trump tweeted, “India’s high tariffs are unacceptable”. And then came the attack on India at the inaugural of the special session on digital economy.
But barely three days before Trump’s attack on India at G20, on 26th June 2019, the Modi Government had dropped the data localisation conditionality from the new e-commerce policy. The US Secretary of State was in New Delhi that day and would have known about the development.
Still, why Trump chose to attack India on data localisation after India had already conceded the demand ? Was it because of the subsequent confusion created by the statement issued by Reserve Bank of India (RBI)?
It is impossible that RBI was unaware of the Commerce Minister’s announcement. It is also equally impossible that the Commerce Minister would announce such a major decision without taking the PMO and the Cabinet into confidence.
Were there last minute second thoughts on the part of the Modi Government on this issue? But there was no official denial of the stand announced by Piyush Goyal. Were they waiting to make the announcement in a separate statement after Modi-Trump meeting at Osaka so that Trump could claim at home that it was a huge victory for his aggressive diplomacy?
India’s volte-face poses several unanswered questions. Considering that data localisation was one of the central provisions of the Draft Personal Data Protection Bill 2018 which was tabled in Parliament. But this new decision means the Draft Data Protection Bill is now a dead-letter and the Bill cannot be tabled afresh in its old form.
The data that the foreign payment firms and companies collected during the course of e-commerce in India were supposed to be stored in India as per the 6 April 2018 RBI circular. It stated then that the data must perforce include end-to-end transaction details and information related to payment or settlement transaction collected or processed as part of a payment.
This may include information such as customer name, mobile number, email, Aadhaar number, PAN number; payment sensitive data such as customer and beneficiary account details; payment credentials such as OTP, PIN, Passwords, among other things.
All these data are crucial for the maintenance of the privacy of individuals as well as the confidentiality of business operations of the firms. One wonders what would be left of data security if India can have no control over such data.
Justice Srikrishna Committee, appointed to go into the issue of evolving a data protection legislation, had recommended setting up a data protection authority. But what data would now be left for such an authority to protect?
In a more fundamental sense, Section 44 in the Aadhaar Act—stated that the act would also apply to any offence or contravention committed outside India by any person involving any data from the Aadhaar data base. The provision enabled filing of FIRs against any person misusing Aadhaar data. But now if data can be stored and processed abroad and used, how can the Indian agencies curb its misuse? Will this section in the Aadhaar Act also be scrapped next?
(IPA Service. Edited by NH Web Desk)